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Introduction ra 


This chapter provides an inexhaustive list of behaviors that users should NOT do when strong anonymity is necessary. 


Anonymity Modes ss 


Confuse Anonymity with Pseudonymity is 


This chapter explains the difference between anonymity and pseudonymity. Note that defining terms is always a difficult process because a majority consensus is required: 


e Anonymous connection: A connection to a destination server, where it has no ability to discover the origin (IP address / location) of the connection, nor to associate any 
identifier !"! with it. 

e Pseudonymous connection: A connection to a destination server, where it has no ability to discover the origin (IP address / location) of the connection, but it can be associated 
with an identifier. l1! 


In an ideal world, perfection would be achieved by the Tor network, Tor Browser, computer hardware, physical security, the underlying operating system, and so on. For example, in 
this utopia the user could fetch a news website, and neither the news website or the website's ISP would have any idea if the user had ever made contact before. !! 


In contrast, the imperfect scenario results when software is used incorrectly, like when stock Firefox is used over the Tor network instead of the "Tor-safe" Tor Browser. The 
unfortunate Firefox user still protects their original connection (IP address / location) from discovery, but an identifier (like cookies) can be used to make that connection 
pseudonymous. For example, the destination website could log "user with id 111222333444 viewed Video Title A at Time B on Date C and Video Title D at Time E at Date F." This 
information can be used for profiling, which over time becomes more comprehensive. The anonymity set is gradually reduced, and in the worst case leads to de-anonymization. 


As soon as a user logs into a website with a username for activities like forum posting or webmail, the connection is by definition no longer anonymous, but pseudonymous. The 
origin of the connection (IP address / location) is still hidden, but the connection can be associated with an identifier !"!; in this case, an account name. Identifiers can be used to 
keep a log of various things: when a user wrote something, the date and time of login and logout, what a user wrote and to whom, the IP address used (useless if it is a Tor exit 

relay), the recorded browser fingerprint and so on. 


Maxim Kammerer, developer of Liberté Linux ll, has disparate ideas on anonymity and pseudonymity which should not be withheld from the reader: !! 


| have not seen a compelling argument for anonymity, as opposed to pseudonymity. Enlarging anonymity sets is something that Tor developers do in order to publish incremental papers and justify 
funding. Most users only need to be pseudonymous, where their location is hidden. Having a unique browser does not magically uncover user's location, if that user does not use that browser for non- 
pseudonymous activities. Having good browser header results on anonymity checkers equally does not mean much, because there are many ways to uncover more client details (e.g., via Javascript 
oddities). 


Mix Anonymity Modes [edit] 


A Warning: Do not mix modes of anonymity! 





The four primary modes are outlined below. 


Mode 1: Anonymous User; Any Recipient tait 


e Scenario: Posting messages anonymously in a message board, mailing list, comment field, forum and so on. 
e Scenario: Whistleblowers, activists, bloggers and similar users. 

e The user is anonymous. 

e The real IP address / location stays hidden. 

e Location privacy: The user's location remains secret. 


Mode 2: User Knows Recipient; Both Use Tor eaiy 


e Scenario: The sender and recipient know each other and both use Tor. 

e Communication occurs without any third party being aware of this activity or having knowledge that the the sender and recipient are communicating with each other. 
e The user is not anonymous. l 

e The user's real IP address / location stays hidden. 

e Location privacy: The user's location remains secret. 


Mode 3: User Non-anonymous and Using Tor; Any Recipient tait 


e Scenario: Logging in with a real name into any service like webmail, Twitter, Facebook and others. 

e The user is obviously not anonymous. As soon as the real name is used for the account login, the website knows the user's identity. Tor can not provide anonymity in these 
circumstances. 

e The user's real IP address / location stays hidden. 

e Location privacy. The user's location remains secret. !©! 


Mode 4: User Non-anonymous; Any Recipient tai 


e Scenario: Normal browsing without Tor. 

e The user is not anonymous. 

e The user's real IP address / location is revealed. 
e The user's location is revealed. 


Conclusion tesit 
Based on the preceding information, the table below outlines unrecommended behavior. 
Table: Dangerous Anonymity Mode Combinations 


Combination Example 


If the user has an instant messenger or email account and uses that via mode 1, it is inadvisable to use the same account for mode 2. The reason 
Anonymity modes 1 + 2 ee i , wi 
is the user is mixing absolute anonymity (mode 1) with selective anonymity (mode 2; since the recipient knows the user). 


Two or more modes inside Using an encrypted chat application over Tor and then posting in the Whonix ™ forum without rotating Tor circuits. If the modes share the same Tor 
the same Tor session exit relay, this could lead to identity correlation. 


Two or modes inside the Using the same Whonix-Workstation ™ for encrypted email as well as posting to a Tor Project mailing list. If the workstation is compromised, this 
same Whonix-Workstation ™ | leads to identity correlation. 


Other combinations Combining other modes may also be dangerous and could lead to the leakage of personal information or the user's physical location. 


License [edit] 
". [7] 


License of "Do not Mix Anonymity Modes": 


Identities, Personal and System Information s 


Disclose Identifying Data Online ts 


De-anonymization is not only possible with connections / IP addresses, but also via social threats. A number of sane recommendations suggested by Anonymous to avoid de- 
anonymization are listed below. Users should not: 


e Include personal information or interests in nicknames. 

e Discuss personal information like location, age, marital status and so on. Over time, discussions about something inane like the weather could lead to an accurate idea of the 
user's location. 

e Mention one's gender, tattoos, piercings, physical capacities or disabilities. 

e Mention one's profession, hobbies or involvement in activist groups. 

e Use special characters on the keyboard which only exist in your language. 

e Post information to the regular internet (clearnet) while anonymous. 

e Use Twitter, Facebook and other social network platforms. This is easy to correlate. 

e Post links to Facebook images. The image name contains a personal ID. 

e Connect to same destination at the same time of the day or night. Try to vary connection times. 

e Forget that IRC, other chats, forums, mailing lists and so on are public arenas. 

e Discuss anything personal whatsoever, even when securely and anonymously connecting to a group of strangers. 


o The group recipients are a potential hazardous risk ("known unknowns") and could have been forced to work against the user. 
o It only takes one informant to destroy a group. 


Perhaps most importantly, never forget heroes only exist in comic books and are actively targeted. There are only young heroes and dead heroes. 
If any identifying data must be disclosed, treat it as "sensitive data" as outlined in the previous point. 
License: From the JonDonym documentation larchivel (Permission lerehivel), 


Draw Wrong Conclusions cai 


Some users conclude that because various computing security mechanisms can be subverted in obscure cases, it is not worth implementing them. For example, they might: 


e Fail to use a BIOS password because computing history reveals a master BIOS password existed at some time. 

e Ignore advice relating to full disk encryption due to the existence of attack vectors like cold boot attacks. 

e Not set up Anti-evil Maid ["ehivel protection for their computer (despite the presence of a Trusted Platform Module), because research reveals that attackers can sometimes 
recover private keys from digital signature schemes. ll 

e Use less-researched, unproven, proprietary networks in preference to Tor, due to known vulnerabilities such as end-to-end correlation attacks. 


It is illogical to bypass long-studied and robust security mechanisms due to perceived failings, particularly if the user is not an expert in the area under consideration such as Tor 
routing, full disk encryption, and so on -- do not let the perfect be the enemy of the good. Computer software and hardware solutions will always remain imperfect, but steady, 
incremental improvements are occurring over time. It is a mistake to confuse the openness and understanding of developers / engineers who highlight shortcomings and then 
determine the software or hardware under discussion is irredeemable. 


Maintain Long-term Identities is 


The longer the same pseudonym is used, the higher the probability that mistakes are made which reveal the user's identity. Once this occurs, an adversary can go back and link all 
activity related to the pseudonym. As a precaution, regularly create new identities and stop using old ones. 


Post Full System Logs or Configuration Files ts 


On a typical computer system, logs will be generated by the host or virtual operating systems, applications, and other background processes. Each of the log entries records a 
variety of detailed information about system and network activity. Configuration files can also reveal details that degrade privacy. Depending on the log or configuration file in 
question, this may include: [°] [10] [11] 


e Tor bridges, guards or exits being used. 
e Host IP addresses. a l l l l 
o. , e Detailed hardware specifications, including potentially serial numbers. 
e Boot-time information. , l , , 
as , i e Software packages, version details, and installation events. 
e Specific locations where information originates like messages or emails. l l l 
, —— e Information about running mail or web servers. 
e Logins / authentication attempts. l l 
l e Printer and printing related information. 
e Timestamps. , : 
; e Timezone details. 
e Running background daemons. l l 
e Firewall settings. 
e Kernel messages. ; , ET 
, , , , , : e Misconfigured software applications. 
e Detailed operating system information, configurations and protocols. Eaa , 
; ; e Cron job information. 
e Details of all attached devices. l , 
e Command line operations. 
e Usernames and accounts. 
Pa e And more. 
e Privileged users. 


e Networking configurations and connections. 

e VPN providers and configurations. 
Logs are a useful tool for debugging or to better understand how well applications are running on a system. However, if a user is considering posting system logs when requesting 
assistance, then it should be carefully curated rather than posted in full. Similarly, it is dangerous to post full configuration files, for example, torrc files that reveal full bridge 
information. If this advice is ignored, the user may be inadvertently de-anonymized or might otherwise provide details that aid an adversary to attack their system. 


Post Sensitive Screenshots or Screen Photographs aij 


Users often post screenshots [hive], screen captures, or photographs of their entire desktop, without considering the privacy implications or potential metadata that is attached to 
the image. Depending on what is visible in the picture, this may reveal the user's operating system, timezone, username, documents, software packages and other sensitive 
information. !'2! If meta tags are not removed, particularly from photographs, then EXIF [archive] data [archive] could result in a significant reduction in the user's anonymity set, or in 
the worst case scenario lead to de-anonymization. 


Photographs with digital cameras may also reveal additional information due to screen reflections, visible objects outside of the screen, the amount of visible light (indicating the 
likely time of day or night), and possibly fingerprints left on the screen itself. Ata minimum, any uploaded images should be sanitized with the Metadata Anonymisation Toolkit or 
other other tools. 


send Sensitive Data without End-to-end Encryption ta 


A As already explained on the Warning page, Tor exit relays can eavesdrop on communications and man-in-the-middle attacks are possible, even with HTTPS. Using end-to- 


end encryption is the only way to send sensitive data to a recipient without it being potentially intercepted and disclosed to hostile third parties. 





Use Different Online Identities at the Same Time cai 


Managing contextual identities online is increasingly difficult and fraught with mistakes. Different online identities can be easily correlated if used simultaneously, since Tor may 
reuse circuits in the same browsing session or information could potentially leak from Whonix-Workstation ™. Whonix ™ does not magically separate different contextual identities. 


Use (Mobile) Phone Verification (cai 


Websites such as Google, Facebook and others will ask for a (mobile) phone number if attempting to login over Tor. Unless the user is really clever or has an alternative, this 
information should not be provided. 

Any phone numbers that are provided will have already been logged. The SIM card is most likely registered in the user's name. Even if this is not true, receiving an SMS gives 
away the user's location. Users can try to anonymously buy a SIM card far away from their usual home address, but there is still a risk: the phone itself. Each time the phone logs 
into the mobile network, the provider will log the SIM card serial number |'°! and the phone serial number. 14! If the SIM card is bought anonymously, but not the phone, it is not 
anonymous because these two serials will get linked. 

If a user really wants to do mobile verification, then a location far away from home is recommended, along with a fresh phone and a new SIM card. Afterwards, the phone must be 
turned off, and immediately both the phone and the SIM card should be completely destroyed. This may necessitate burning the items or other inventive (guaranteed) methods of 
destruction. 

Users could try to find an online service that will receive a personal SMS on their behalf. That would work and would be anonymous. The problem is this method will probably not 
work for Google and Facebook, because they actively blacklist such numbers for verification. Another option is trying to find someone else to receive the SMS for you, but that 
would only shift the risk to the other person. !"°! 


See also Phone Number Validation vs User Privacy and Account and Mobile Security. 


Internet Servers and Resources ra 


Connect to a Server Anonymously and Non-anonymously at the Same Time cai 


It is strongly recommended against creating Tor and non-Tor connections to the same remote server at the same time. In the event the internet connection breaks down (and it will 
eventually), all the connections will break simultaneously. Following that event, it is easy for an adversary to determine which public IP address / location belongs to which Tor IP 
address / connection, potentially identifying the user directly. 

This scenario also enables another form of attack by web servers. The speed of either the non-Tor or Tor connection can be increased or decreased, to see if there is a correlation. 
That is, if either connection gets faster or slower in unison, then the relationship between a non-Tor and Tor link can be established. 


License of "Do not connect to any server anonymously and non-anonymously at the same time!": !7! 


Open Random Files or Links cai 


If the user is sent any type of file or a link to the file (or a random internet URL/resource), either by email or another method, caution is recommended regardless of the file format. 
[16] That sender, mailbox, account, or key could be compromised and the file or link may have been prepared to infect the user's system when opened with a standard application. It 
is also feasible that files such as PDFs may leak a range of system data or have embedded tracking code which is activated when opened in a Internet-connected VM. 


It is safer not to open the file with the default tool that is expected by the file's creator. For example, a PDF should not be opened with a PDF viewer, or if the content is public, a 
free online PDF viewer could be used. Greater security would involve sanitizing the PDF in Qubes-Whonix ™, or opening the file or link in a DisposableVM so that it cannot 
compromise the user's platform. Even better, the computer can also be physically disconnected from the Internet or VM network access disabled before opening it. 


Spread your Own Link First tat 


A Avoid the temptation to be one of the first people to promote your new "anonymous" project! 





For example, it is inadvisable to spread links if the user: 


e Created an anonymous blog or onion service. 
e Has a twitter account with lots of followers. 
e Runs a big clearnet news page or similar. 


The more identities are separated, the better. Of course, at some point the user may or even must be "naturally" aware of the new project, but extreme caution is sensible at this 
juncture. 


Visit your Own Website when Anonymous eit 


"| wonder what my site looks like when I'm anonymous?" [17] 


It is best to avoid visiting personal websites where either real names or pseudonyms are attached, particularly if they have ever been tied to a non-Tor connection / IP address. 
Very few people are likely to visit your personal website over Tor, meaning the user may be the only unique Tor client to do so. 


This behavior leads to weak anonymity because once the website is visited the Tor circuit is "dirty". If the site is not popular and does not receive much traffic, the Tor exit relay can 
be fairly certain that the visiting individual is the user. After that point, it can be reasonably assumed that further connections originating from that Tor exit relay also come from the 
user's machine. 


Source: [18] 


LOGINS ro 


Login to Accounts Used without Tor tea 


Always assume that each time a website is visited, logging by the destination server will include: [°] 


e Client IP address / location. 

e Request date and time. 

e Specific webpages requested. 

e HTTP code. 

e Number of bytes served to the user. 
e The user's browser agent. 

e The referring website (referrer). 


Also assume that the Internet Service Provider (ISP) will at a minimum log total online time and the client IP address / location. The ISP may also log the IP address / location of 
visited destinations, how much traffic (data) was generated, and what was sent and retrieved. Unless Internet traffic is encrypted, the ISP will be able to see exactly what activities 
were performed, and the information sent or received. 


The following tables provide a simplified overview of how those logs may appear to administrators. 
Table: /SP Log 


Name Time IP/location Traffic 
John Doe 16:00 - 17:00 | 1.1.1.1 500 MB 


Table: Extended ISP Log '7°! 


Name Time IP/location Traffic Destination Content 
John Doe | 16:00 - 17:00 | 1.1.1.1 1MB (google.com | Searched for thing one, thing two... 


John Doe | 16:00 - 17:00 | 1.1.1.1 490 MB | youtube.com | Viewed video 1, video 2, ... 
John Doe |} 16:00 - 17:00 | 1.1.1.1 9MB _ |facebook.com Encrypted traffic 


Table: Website Log 


Name Time IP/location Traffic Content 
- 16:00 - 16.10 1.1.1.1 1MB _ Searched for thing one, thing two... 


It is clear that uniform logging by websites and ISPs enables the user's activities and interests to be easily determined. 


An account is compromised and tied to the user if even a single login originates from a non-Tor connection / IP address. Singular mistakes are often fatal and have led to the 
downfall of many "anonymous" users. 


Login to Banking or Online Payment Accounts teat 


Logging into banking, PayPal, eBay or other important financial accounts registered in the user's name is not recommended. Where money is involved, use of Tor risks the account 
being suspended due to "suspicious activity" by the fraud prevention system. The reason is hackers sometimes use Tor for committing fraud. 

Using Tor with online banking and payment accounts is not anonymous for reasons already outlined. It is pseudonymous and only offers location privacy and a circumvention 
method in the event access to the site is blocked by the ISP. The difference between anonymity and pseudonymity is covered in an earlier section. 

If a user is blocked, in many cases the service's support division can be contacted in order to have the account unblocked. Some services will even allow the fraud protection policy 
to be relaxed for the user's account. 

Whonix ™ developer Patrick Schleizer is not opposed to using Tor for circumvention and/or location privacy. However, the user should appreciate that banking or other online 
payment accounts risk getting (temporarily) suspended. Other outcomes are also possible (service bans, account deletion and so on) as mentioned in warnings on this page and 
throughout the Whonix ™ documentation. Users who are aware of the risks and who feel comfortable using Tor in their personal circumstances are of course free to ignore this 
advice. 


Login to Social Networks Accounts and Think you are Anonymous tat 


Do not login to personal Facebook or other social network accounts over Tor. Even if a pseudonym is used instead of a real name, the account likely has linked friends who know 
the account's true owner. As a result, the social network can reasonably guess who the user really is. 

No anonymity solution is perfect. Online anonymity software may reliably hide IP addresses and location data, but Facebook and similar corporations do not need this information. 
Social networks already know: who the user is, associated friends, the content of "private" messages sent and so on. This data is at least stored on social network servers, and no 
kind of software can delete it. Only social networking platforms and hacking groups could remove it. |?" 


Users who log into personal Facebook and other accounts only get location privacy, but not anonymity. 


This is not well understood by some social network users: [7 


mike, am i completely anonymized if i log onto my facebook account? im using firefox 3.6 with tor and no script on windows 7 machine. thank you. 


Login to Twitter, Facebook, Google etc. Longer than Necessary ts 


Restrict the logged in time for Twitter, Facebook, Google and any other account-based services (like web forums) to the absolute minimum required. Immediately log out after 
reading, posting, blogging and other tasks are complete. Following log out, it is safest to then shut down Tor Browser, change the Tor circuit using a Tor Controller, wait for 10 
seconds until the circuit has changed and then restart Tor Browser. For better security follow the recommendations to use multiple VM Snapshots and/or use multiple Whonix- 
Workstation ™. 

This behavior is necessary because many websites include one or more of the many integration buttons, such as Facebook's "Like" button and Twitter's "Tweet This". 3] In fact, in 
the top 200,000 Alexa websites, Facebook and Twitter social widgets are included in around 47% and 24% of those, respectively. Google third-party web services are included in 
around 97% of the same sample, mainly comprising Google analytics, advertisements and CDN services (googleapis.com). P4 23] If a user is still logged into a service, those 
buttons tell the originating service that the website was visited. !7°! 


The danger of third-party resources to privacy should not be underestimated: [271 [8I] 


Every time a user’s browser is instructed to fetch a third-party resource, that third-party server is given the ability to deliver tracking scripts and associate the first-party website with the bearer of third- 
party cookies and browser fingerprints. This tracking of online behavior allows for the construction of increasingly detailed user profiles, including sensitive information such as a user’s political views 


and medical history. 


Users should also read the chapter above. 


system Settings ji 


Change Settings if the Consequences are Unknown traig 


It is usually safe to change user interface settings for applications which do not connect to the internet. For example, checking a box like "Don't show any more daily tips" or "Hide 
this menu bar" will have no effect on anonymity. 

Before changing any settings you are interested in, first read the Whonix ™ documentation. If the change is documented and recommended against, then try to persevere with the 
defaults. If the change is undocumented, then carefully research the proposed action before proceeding. 

Changing settings for applications which connect to the internet (even user interface settings) should be thoroughly reviewed. For example, removing a menu bar or maximizing the 
screen in Tor Browser is recommended against. The latter is known to modify the detectable screen size, which worsens the user's web fingerprint. 

Modification of network settings should only be undertaken with great care, and if the consequences are known. For example, users should avoid all advice pertaining to "Firefox 
Tuning". If the settings are believed to be sub-optimal, then changes should be proposed upstream so they change for all Tor Browser users with the next release. For a 
comprehensive list of unsafe Tor Browser habits, see here. 


TOM wa 


Allow Tor over Tor Scenarios tay 


OD This is a Whonix ™-specific issue. 





When a transparent proxy is used (like in Whonix ™), it is possible to start a Tor session from the client as well as from the transparent proxy, creating a "Tor over Tor" scenario. 
This happens when installing Tor inside Whonix-Workstation ™ or when using Tor Browser without configuring it to use a SocksPort instead of the TransPort. This is covered in 
further detail in the Tor Browser entry. 


Doing so produces undefined and potentially unsafe behavior. In theory, the user could get six hops instead of three in the Tor network. However, it is not guaranteed that the three 
additional hops received are different; the user could end up with the same hops, possibly in reverse or mixed order. The Tor Project opinion is that this is unsafe: !°! 


We don't want to encourage people to use paths longer than this — it increases load on the network without (as far as we can tell) providing any more security. Remember that the best way to attack 
Tor is to attack the endpoints and ignore the middle of the path. Also, using paths longer than 3 could harm anonymity, first because it makes "denial of security" attacks easier, and second because it 
could act as an identifier if only a few people do it ("Oh, there's that person who changed her path length again"). 


Users can manually choose an entry or exit point in the Tor network, °°! but the best security relies on leaving the route (path) selection to Tor. Overriding the choice of Tor entry 
and/or Tor exit relays can degrade anonymity in ways that are not well understood. Therefore, Tor over Tor configurations are strongly discouraged. 


License of "Prevent Tor over Tor scenarios.": l! 


Do Use Bridges if Tor is Deemed Dangerous or Suspicious in your Location trs 


This recommendation comes with an important caveat, since Bridges are not a perfect solution: [1] 


Bridges are important tools that work in many cases but they are not an absolute protection against the technical progress an adversary might make in identifying Tor users. Using bridges might be 
advisable to prevent identification as a Tor user, but the Tor Project's bridges documentation ['"'vel is primarily focused on censorship circumvention, that is, overcoming attempts by ISPs or 


government to block Tor use. 


Switch Between Tor and Open WI-FI tag 


Some users mistakenly think open Wi-Fi is a faster, safe "Tor alternative" since the IP address / location cannot be tied to their real name. For reasons explained below, it is better 
to use open Wi-Fi and Tor, but not open Wi-Fi or Tor. 


The approximate location of any IP address can be estimated to the city, region or even street level. Even if a user is away from their home address, open Wi-Fi still gives away the 
city or approximate location since most people do not switch continents. The person running the open Wi-Fi router and their policies are also unknown variables. They could be 
keeping logs of the user's MAC address and linking it with the activity being sent in the clear through them. 


While logging does not necessary break user anonymity, it does reduce the circle of suspects from the entire global population, a continent, or the country, down to a specific 
region. This effect strongly degrades anonymity. Users should always keep as much information as possible to themselves. 


Use Clearnet and Tor at the Same Time tat 


Using a non-Tor browser and Tor Browser at the same time runs the risk of confusing them at one point, and de-anonymizing yourself in the process. It is also risky to use clearnet 
and Tor at the same time because simultaneous, anonymous and non-anonymous server connections might be established. 


Concurrent clearnet and Tor (Browser) connections are recommended against for several reasons. First, the user can never be certain when an identical page is visited 
anonymously and non-anonymously at the same time. The reason is only the URL is visible, not how many resources are fetched in the background. Second, many different 
websites are hosted in the same cloud and services like Google Analytics [chive] are present on most websites. This leads to at least one known data harvester seeing numerous 
anonymous and non-anonymous connections. 


If this advice is disregarded, then it is safer to utilize at least two different desktops to prevent confusing one browser with another. 


What is Clearnet? isi 


This term has two meanings: 


1. Connecting to the regular Internet without the use of Tor or other anonymity networks; and/or 
2. Connecting to regular servers which are not onion services, irrespective of whether Tor is used or not. 


Rationale ra 


The reader may skip this section. 


This page risks stating things that are obvious, but the question must be asked: "Obvious to whom?". The above points may only be common sense to developers, hackers, geeks 
and other people with technological skills. 


The above-mentioned groups tend to lose contact with non-technical users. It is useful to sometimes read usability papers or the feedback from people who do not post on mailing 
lists or in forums. Consider the examples below: 


e To Toggle, or not to Toggle: The End of Torbutton [archive]; 
mike, am i completely anonymized if i log onto my facebook account? im using firefox 3.6 with tor and no script on windows 7 machine. thank you. 


e tor-dev First-time tails/tor user feedback [achive] 
e Eliminating Stop-Points in the Installation and Use of Anonymity Systems: a Usability Evaluation of the Tor Browser Bundle [archive] 
e North Korea: On the net in world's most secretive nation [@'ch'vel (w [archive]; 


In order to make sure the mobile phone frequencies are not being tracked, | would fill up a washbasin with water and put the lid of a rice cooker over my head while | made a phone call," said 
one interviewee, a 28-year-old man who left the country in November 2010. 


Footnotes ra 


18. 1 Tor B houl t K f t f [archive] 
1.1 1011 1-2 For example, an identifier could be a (Flash) cookie with a unique ID. a Fer BIOS eran Sere ete lees le Meer siaed eat ase Ona ees 


Sa , , 19. 1 https://en.wikipedia.org/wiki/Server_log [archive] 
2. 1 Unfortunately, fingerprinting defenses are not yet perfect in any browser and there are still 


. t http://dee.su/liberte [archive] 
. 1? Quote [archive] (w) [archive] 


. 1 Since they are known by the recipient. 


[archive] 


20. t https://en.wikipedia.org/wiki/Deep_packet_inspection 

21. 1 The former is unlikely to ever delete data, since profiling is the primary method of 
monetizing users with "free" accounts. Profiling is used for targeted advertising and to 
generate large user databases that can be on-sold for profit to third parties. 

22. t To Toggle, or not to Toggle: The End of Torbutton larchvel 

23. t Notably, Facebook also keeps records on everyone [hive] who views a page with a 
Facebook like button. 


Oo of WwW 


. } But this information can be easily ascertained via ISP records which link Internet service 
accounts with a registered name and address. Alternatively, this information is leaked by the 
real (clearnet) IP address that was originally used to register for the service in the first place, 
since Tor registration is regularly blocked. 

7. + 797-1 72 This was originally posted by adrelanos (proper) to the Torify HOWTO [archive] (w 
larchive]) (license [archivel) (w larchivel) Adrelanos did not surrender any copyrights and can 
therefore re-use it here. It is under the same license as this DoNot page. 

8. t See: TPM—Fail: TPM meets Timing and Lattice Attacks [@"cnivel, 

9. 1 https://nvipubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-92.pdf [archive] 

10. t https://www.loggly.com/ultimate-guide/linux-logging-basics/ [erehive] 

11. + https://www.thegeekstuff.com/2011/08/linux-var-log-files ["°"'vel 

12. 1 This is another reason to prefer a random name rather than a real one when installing 

operating systems. 27 


13. 1 IMSI ies 28. } For instance, advanced adversaries are known to piggyback on third-party tracking cookies 
14. + IMEI [archive] to de-anonymize Tor users and to identity targets for exploitation. 
15. 1? Notwithstanding that the person receiving the SMS is likely only a few degrees of separation 29, + https://www.torproject.org/docs/faq.html.en#ChoosePathLength larchive] 
from the end-user (at best). 30 
16. 1 For instance: PDF, word processing document, bitmapped images, audio or video files and 
so on. 
17. t https://lists.torproject.org/pipermail/tor-dev/201 2-April/003472.html [archive] 


24. 1 https://www.securitee.org/files/trackblock_eurosp2017.pdf [archive] 

25. + The top 15 third party services are: doubleclick.net, google.com, googlesyndication.com, 
googleapis.com, gstatic.com, admob.com, googleanalytics.com, googleusercontent.com, 
flurry.com, adobe.com, chartboost.com, unity3d.com, facebook.com, amazonaws.com and 
tapjoyads.com 

26. + For example, Twitter's Tweet, Follow and embedded tweets are used to record browsing 

history [@"ch'vel_ When a page is visited containing one or more of these, the browser makes a 
request to Twitter servers which contains a header informing of the site visited. A unique 
cookie allows Twitter to build a profile of browsing history, even if the user is not a Twitter user 
(for example, when Tor Browser is not used). 

. 1 https://www.securitee.org/files/trackblock_eurosp2017.pdf = [archive 


. t https://www.torproject.org/docs/faq.html.en#ChooseEntryExit larchivel 
31. 1 Before Configuring a Bridge 
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